Join Log in
Score:1
Mike Hicks avatar Ubuntu

How do I add extra download directories to AppArmor for Firefox running under snap?

gb flag
Mike Hicks

I recently updated to Ubuntu 22.04.1 and went to a site where I occasionally download things from. I typically save files from this site to an sshfs mount shared from another system on my home network, which is outside of the ~/Download path, but mounted as a subdirectory of my $HOME.

Firefox froze when I first tried downloading, and I eventually realized it was being blocked by AppArmor. When it happened a second time, I stopped the AppArmor service, and Firefox unfroze, but it still got a Permission Denied error.

Here are some example dmesg audit messages from the initial failure:

[Mon Dec 12 09:56:59 2022] audit: type=1400 audit(1670596598.697:172985): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/etc/fstab" pid=1048673 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Dec 12 09:57:00 2022] audit: type=1107 audit(1670596598.829:172986): pid=1076 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.32040" pid=1048673 label="snap.firefox.firefox" peer_pid=1366885 peer_label="unconfined"
[Mon Dec 12 09:57:00 2022] audit: type=1107 audit(1670596598.829:172988): pid=1076 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.32040" pid=1048673 label="snap.firefox.firefox" peer_pid=1366885 peer_label="unconfined"
[Mon Dec 12 09:57:08 2022] audit: type=1400 audit(1670596606.925:172990): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/home/mike/sshfs/filename.txt" pid=1048673 comm="firefox" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1006
[Mon Dec 12 09:57:08 2022] audit: type=1400 audit(1670596606.925:172990): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/home/mike/sshfs/filename-1.txt" pid=1048673 comm="firefox" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1006
[Mon Dec 12 09:57:08 2022] audit: type=1400 audit(1670596606.925:172990): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/home/mike/sshfs/filename-2.txt" pid=1048673 comm="firefox" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1006
[...previous message repeats many times with an incrementing number on the filename...]

(Annoyingly, this failure ended up created a few tens of thousands of zero-length files)

After doing systemctl stop apparmor, the messages changed a bit, no longer repeating almost endlessly, but I get a pretty straight denial:

[Mon Dec 12 10:02:58 2022] audit: type=1400 audit(1670596957.682:187529): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/home/mike/sshfs/" pid=1366974 comm="pool-firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1006
[...snip some dbus-related messages...]
[Mon Dec 12 10:03:10 2022] audit: type=1400 audit(1670596969.158:187537): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/home/mike/sshfs/filename.txt.part" pid=1366974 comm=4261636B67726F7E506F6F6C202332 requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1006
[Mon Dec 12 10:03:10 2022] audit: type=1400 audit(1670596969.166:187538): apparmor="DENIED" operation="unlink" profile="snap.firefox.firefox" name="/home/mike/sshfs/filename.txt.part" pid=1366974 comm="firefox" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1006

How do I add extra directories for Firefox to have write permission? Would anything special need to be done for an sshfs path as opposed to something on the local filesystem?

227
1 + 0
Score:0
Artur Meinild avatar Ubuntu
vn flag
Artur Meinild

I saw another answer here about granting permissions to an extra file/folder with AppArmor, so I believe this should also be applicable for you (but I'm not an expert on AppArmor rules).

Try the following:

  • Add a local override to /etc/apparamor.d/local/usr.bin.firefox:

    sudo nano /etc/apparmor.d/local/usr.sbin.unbound

  • Add this line for the directory you want access to:

    /home/mike/sshfs/ rw,

    (If you want more directories, you can add several lines.)

  • Save and exit nano Ctrl+X, Y and Enter.

  • Reload AppArmor entries for Firefox:

    sudo apparmor_parser -r /etc/apparamor.d/local/usr.bin.firefox

  • And finally restart Firefox.

Hopefully this will allow access to the folder.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.